From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 26 Nov 2019 14:40:07 +0800
Subject: efi: Lock down the kernel at the integrity level if booted in secure boot mode
Patch-mainline: Never, SUSE specific tweak
References: jsc#SLE-9870
The perf and bpf are restricted in confidentiality level, but those
functions are available on SLE. So we use integrity level here.
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
arch/x86/kernel/setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1036,7 +1036,7 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
if (efi_enabled(EFI_SECURE_BOOT))
- security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
#endif
reserve_ibft_region();